JBoss form based authentication with account lockout - authentication

My application is using Form based authentication and JBoss 5 as application server. I want to add an account lockout mechanism to the applicaton. Does JBoss form based authentication support account lockout? If yes, how do I configure it. If no, what is the best solution without changing the existing functionality much?
I have searched quite a bit on the web, but could not find answer to this.
Any suggestions would be a great help.
Thanks,
jayash

I am not aware of an "out-of-the-box" solution, but there is always the possibility to write a custom login module.
So have a look at the source of the DatabaseServerLoginModule: You could extend it to support a lockout.
Add a flag in the database which indicates that the last verificatoin was not successful
Count and store the number of subsequent login failures in the database for a given user ID
Reset the counter and the flag, if there is a successful verification
But if the counter reaches a limit, the password verification always returns false, and the flag/counter are not reset.
So you can configure the front end to have account lockout: You just declare it to use form-based authentication. But you have to add some pages to maintain the accounts which are locked (you already have this or need this anyway).

Related

How to have same user login with Two Factor for application A and without Two Factor for application B?

The "Two Factor" requirement is configured per user. If we have multiple applications, how do we achieve that
for application A (e.g. a webapp) 2FA is required
but for application B (e.g. a native app), for the same user, 2FA is not required (never, not even for the first time it is used)?
I'm aware of the trustComputer attribute but I don't think it helps for this problem.
Two Factor is at the User level in FusionAuth. This is by design since if the user has selected to protect their account, then they should be forced to provide their additional factor regardless of the Application they are logging into.
There isn't currently a way to change this behavior and we would need to understand the use case in detail as well as any security issues with allowing specific Applications to bypass two-factor authentication.
You can open a feature request on the FusionAuth GitHub issue tracker here: https://github.com/FusionAuth/fusionauth-issues if you want. Please provide as much detail about the use case and why some Applications allow two-factor while others don't. This will help the FusionAuth team assess the implications of adding this feature.

SailsJS secure authentication

I am building app using SailsJS as backend and angular as frontend. On many websites I have found that auth is done by setting req.session.userID to som value but then in policy it only performs basic check like if(req.session.userID) but I am not sure that this is secure. What if I put some random string to my cookie named userID will system consider this as valid login?
For example my correct userID is ABCDEF but what if some attacker come by and he sets his cookie userID to DEFGH. Will system consider this as valid login? I don't think that there is some background validation against database going on. Wouldn't it be better to create model called Sessions which will store randomly generated session ID and associated userID? Then the system at user login would generate random sessionID which will be stored in DB and in policy system will check if currently set req.session.sessionID is valid.
I am asking this because I don't have very deep understanding of sails but from my point of view solution proposed in documentation doesn't seem secure.
I recommend that you take a look at JWT and how it solves some problems. Then another problem will be "how to store this token". And that you can solve with cookies, local storage, etc. all depending on your needs and possibilities. Usually a local storage + middleware in the client side with reddis on the server side (advanced session behavior) is enough.

How to implement a one time authentication mechanism?

I'm trying to create a website to authenticate users through the use of a throwaway password where the assumption is that the user might not use the website again (basically a one time access).
I have done my research on OTP and various solutions to authentication but these don't seem to fit my requirements, most of them seem to rely on users having login credentials to the website whereas my system would allow them access without the need for registering.
The implementation of passwordless authentication by Auth0 seems to fit what you're describing. Even if you were not considering a third-party provider it may be useful to go through the documentation.
Basically, a user can login to a site without any need for a sign-up process. They can do so just by requesting that a one time code is delivered to them, for example, either by email or SMS.
This way, they can get quick access without having to setup a user and in the event that they do come back your application can recognize this because they will most likely be using the same mechanism, that is, you can use the email or mobile phone as the unique identifier.
Disclosure: I'm an Auth0 engineer.
If you do not require your users to register, why do you need authentication at all?
Why not just set a cookie with an unique identifier on the first visit? You can store data at the server side associated with that identifier. Keep track of when you last saw the user, and if they do not return within a certain period, you can delete any data you stored for that user.

Use Liferay to authenticate users from separate standalone application

I'm trying to get my standalone webapplication to use my Liferay 6.2 as "user store". That means I want the user to log in to Liferay and then be able to move on to another application with some credentials and user specific information passed as well. Moving on and passing information is already working, the issue I'm having right now is making sure the user-object that is passed on is the user that is actually logged in right now.
I use the LFR_SESSION_STATE_ cookie do determine the logged in user. But when I log in again with another user I get a second cookie with a different user-id. So now I need to make sure that I'm passing the correct user. The USER_UUID cookie does not contain the same uuid as provided by Liferay (as of now I didn't check if it's a hash of the uuid).
Long story short, I'm looking for a way to recognize the currently logged in user and be able to pass the credentials and additional information to my application.
I will take care of security concerns like manipulated cookies etc. subsequently. Maybe that will raise another question wenn I get to that point ;-)
I'd really appriciate any help or push in the right direction.
Thanks in advance guys ... sebastian
Some possibilities:
Make your application a portlet application
Publish your Liferay Database through LDAP (EE only) and use a separate SSO application
Create a Liferay-Hook that sets a cookie (to "/") containing the required user information - encryption and signatures are on yourself. You can create hooks that get executed on every successful login

Implementing ActiveDirectory account lockout after n tries in WCF

I am developing a WCF service which can be consumed by mobile applications to authenticate users against the corporate extranet ActiveDirectory. I am using a customized version of this implementation from Microsoft. I need to implement the account lock out logic so that after n retries the account in the ActiveDirectory should get locked-out.
I tried with state-full WCF service to keep track of the failed log-ins. But the client can start over the next session and continue with the attack.
I know that the ActiveDirectory policy can be set to enforce this, but just querying the AD -like the Microsoft solution does to authenticate the user - does not lock out the user.
So, I am looking forward for a solution which will work like when log-in to Windows with incorrect password for n times the account will get locked-out as per the policy set in the AD.
I have not seen your code. So I'm guessing you have similar solution that is implemented in this example, have a look at this link
In above example, please have look at line
DirectoryEntry entry = new DirectoryEntry(_path, domainAndUsername, pwd);
this entry object would be used for authentication when you make a search call on active directory.
If you are using user/password that you want to authenticate then you need not to worry about locking it by your code. Active directory policy would be enough.
But after reading your comment I guess you have one specific user that you use to search mobile application users to check if they exist in your active directory or not. If this is the case effectively you are never authenticating against mobile users so those users never going to be blocked automatically.
I would be interested to know your answer.
There are basically two ways of doing this:
You continue the directory search method you are using, but track the number of logins for each user in a custom database, and check this database before doing the directory search.
Use the Windows login instead, and rely on AD to lockout the user. For a description of how to do this check: Active Directory (LDAP) - Check account locked out / Password expired
Edit
After seeing marc_s's comment, I am unsure if doing the directory search will lockout or not. It would actually be a serious security hole if you could try an infinate number of times. But you would need an account that is allowed to query AD before you could use it.
The code you linked to had this line
object obj = entry.NativeObject
Which was to force authentication. Have you included this line?